Never has there been a more fitting username with a comment. It’s so true. I would hop over to another more future proof solution in a heart beat if it existed. This is all compounded by the fact that once you learn the quirks and get it in a good place you start not minding it so much. It’s somewhere between sunk cost fallacy and Stockholm syndrome.

Awesome, thank you, this is exactly what I was thinking when you mentioned it earlier.

I figured it was the enforcing of the trusted proxy mechanism mentioned in the release notes (only noticed because of an earlier thread here, thanks!). Once I updated my server and set the proxy settings all my clients needed to be signed again.

Yeah I don’t think anyone sane would disagree. That’s what forced the decision for me, to expose or not. I was not going to try talking anyone through VPN setup, so exposure + whatever hardening practice could be applied. I wouldn’t really advocate for this route, but I like hearing from others doing it because sometimes a useful bit of info or shared experience pops up. The folder path explanation is news to me; time to obfuscate the hell out of that.

I think they’re meaning exposing it to the public for the pirate tv use case. In my personal experience (1 non savvy user using the roku app, no vpn), it’s not much support. I had to talk them through initial sign on, and through re-sign-on after that latest update that forced it. Of course ymmv, but two 5 minute tech sessions with grandma over 2 years of consistent usage ain’t that bad.

My automated workflow is to package up backup sources into tars (uncompressed), and encrypt with gpg, then ship the tar.gpg off to backblaze b2 and S3 with rclone. I don’t trust cloud providers so I use two just in case. I’ve not really been in the need for full system backups going off site, rather just the things I’d be severely hurting for if my home exploded.

But to your main questions, I like gpg because you have good options for encrypting things safely within bash/ash/sh scripting, and the encryption itself is considered strong.

And, I really like rclone because it covers the main cloud providers and wrangles everything down to an rsync-like experience which also pretty tidy for shell scripting.

Honestly I’m not sure, or maybe I knew but forgot. Since working out my needs I wrote it to ansible and never looked back. Worth trying the more secure way for sure.

I do this on the minimal Debian release which is essentially coming from the same place, you’re left to get things configured with a root user or maybe a privileged user after install. There’s a few things to tweak for rootless podman and it will vary based on the distro. The gist for me and Debian is:

1. make an unprivileged account for running podman containers
2. enable linger so i can use systemd with this account and the running of the containers
3. allow lower ports for podman rootless in sysctl (for example, 80 if you’re running basic http services rootless), net.ipv4.ip_unprivileged_port_start=<start of lower range of ports rootless containers will use>
4. run containers with the appropriate --userns flags. This can vary a lot depending on the container. Some maintainers are nice and ensure the internal uid/gid is something expected like 1000, sometimes not and you have to fire it up and figure out the app account name, uid/gid. An example I’ll put here is a podman run snippet for running jenkins (official image from cloudbees) rootless:

podman run --name jenkins --user jenkins --userns=keep-id:uid=1000,gid=1000 ...

Again, that’s just Debian, never tried MicroOS, but if MicroOS isn’t doing anything special to accommodate rootless podman I imagine these steps are somewhat applicable. One issue I ran into was with an older version of Podman, whatever comes with Ubuntu 22: That version of podman requires you to set the namespace mappings; Debian 12’s version does not and the --userns=keep… flag just works.

I expose jellyfin to the internet, and some precautions I have taken that I don’t see mentioned in these answers are: 1) run jellyfin as a rootless container, and 2) use read-only storage where ever possible. If you have other tools managing things like subtitles and metadata files before jellyfin there’s no reason for jellyfin to have write access to the media it hosts. While this doesn’t directly address the documented security flaws with jellyfin, you may as well treat it like a diseased plague rat if you’re going to expose it. To me, that means worst case scenario is the thing is breached and the only thing for an attacker to do is exfiltrate things limited to jellyfin.

The Earthsea books play heavily on both born in attributes and acquired skills, and I’d even say the interplay between those two concepts. Really great books for youth and adults.

I recently caved and decided to try the other method after years of doing it this way. Flip every 30 seconds, and take note of doneness in the beginning by feel. You build a better crust this way and get more even and predictable cooking. Turns out that frequent flipping does not dry things out

That’s a great question, never really considered it before. I seem to recall the front structure was able to be packed with warheads and launched at whatever, presumable with some targeting. Maybe the idea was 5 or 6 ships doing this on a cube could put it out of commission. Reminds me of torpedo boats.